Login Sign Up

CVE-2022-0332

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Moodle's H5P activity web service allows attackers to execute arbitrary SQL commands. It affects Moodle installations running versions 3.11 through 3.11.4. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • Moodle
Versions: 3.11 to 3.11.4
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with H5P activity module enabled and web services configured.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive user data, including personal information and academic records.

🟢

If Mitigated

Limited impact if proper input validation and database permissions are enforced, though SQL injection remains dangerous.

🌐 Internet-Facing: HIGH - Moodle instances accessible from the internet are directly exposed to exploitation attempts.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the web service endpoint, but SQL injection vulnerabilities are typically easy to exploit once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.5 and later

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=431099

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Upgrade to Moodle 3.11.5 or later. 3. Verify the upgrade completed successfully. 4. Test H5P functionality.

🔧 Temporary Workarounds

Disable H5P web service

all

Temporarily disable the vulnerable web service endpoint until patching is possible.

Navigate to Site administration > Plugins > Web services > External services and disable the H5P service

Restrict web service access

all

Limit access to the web service through network controls or authentication requirements.

Configure firewall rules to restrict access to /webservice/rest/server.php endpoints

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Apply strict database user permissions to limit potential damage from exploitation

🔍 How to Verify

Check if Vulnerable:

Check Moodle version in Site administration > Notifications or via CLI: php admin/cli/version.php

Check Version:

php admin/cli/version.php | grep 'Release'

Verify Fix Applied:

Confirm version is 3.11.5 or later and test H5P web service functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed authentication attempts to web services
  • Unexpected access to H5P-related endpoints

Network Indicators:

  • Unusual traffic patterns to /webservice/rest/server.php
  • SQL error messages in HTTP responses

SIEM Query:

source="moodle_logs" AND ("webservice" OR "H5P") AND ("error" OR "sql" OR "injection")

📊 Metadata

CVE ID: CVE-2022-0332
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0332, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)